[dns-operations] Missing algorithm 8 signatures in .museum zone

Ondřej Surý ondrej at sury.org
Thu Nov 16 07:21:13 UTC 2017


Since there's a least one valid path, this shouldn't pose operational
problem unless people are running unbound < 1.5.5 or enabled
harden-algo-downgrade in unbound.conf.

Maybe it's time to stop enforcing this requirement since unbound 1.5.5
was release two years ago, and force operators running with
'harden-algo-downgrade: yes' to simply disable the option.

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>

On Thu, Nov 16, 2017, at 07:20, Viktor Dukhovni wrote:
> 
> The .museum zone has algorithm 8 and 10 DS and DNSKEY RRs, but
> some records are signed with just algorithm 10:
> 
> http://dnsviz.net/d/ww2.dsm.museum/Wg0sRQ/dnssec/
> 
> @d.nic.fr.[194.0.9.1]
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38522
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;dsm.museum.            IN DS
> museum.                 SOA     a.nic.fr. ...
> museum.                 RRSIG   SOA 10 1 ...
> 7fe0d5i1il7eoprub8q9t7cn5jghdm73.museum. NSEC3 1 1 1 B66887C4 ...
> 7fe0d5i1il7eoprub8q9t7cn5jghdm73.museum. RRSIG NSEC3 10 2 ...
> 
> @f.ext.nic.fr.[194.146.106.46]
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60958
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;dsm.museum.            IN DS
> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. NSEC3 1 1 1 B66887C4 
> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. RRSIG NSEC3 10 2 ...
> museum.                 SOA     a.nic.fr. ...
> museum.                 RRSIG   SOA 10 1 ...
> 
> @g.ext.nic.fr.[194.0.36.1]
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56321
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;dsm.museum.            IN DS
> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. NSEC3 1 1 1 B66887C4 ...
> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. RRSIG NSEC3 10 2 ...
> museum.                 SOA     a.nic.fr. ...
> museum.                 RRSIG   SOA 10 1 ...
> 
> -- 
> 	Viktor.
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations




More information about the dns-operations mailing list